b'U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n\n            AUDIT REPORT\n\n\nGENERAL AND APPLICATION CONTROLS\n OVER THE TECHNICAL INFORMATION\n       MANAGEMENT SYSTEM,\n OFFSHORE MINERALS MANAGEMENT,\n  MINERALS MANAGEMENT SERVICE\n\n             REPORT NO. 00-I-647\n                AUGUST 2000\n\x0cU.S. Department    of the Interior                                       Office of Inspector   General\n\n\n\n                                 EXECUTIVE         SUMMARY           ,\n\n\n                           General and Application Controls Over\n                       the Technical Information Management System,\n                               Offshore Minerals Management,\n                                Minerals Management Service\n                                     Report No. 00-I-647\n                                         August 2000\n\nBACKGROUND\n\nThe Minerals Management Service (MMS) manages the Nation\xe2\x80\x99s natural gas, oil, and other mineral\nresources on the Outer Continental Shelf and collects, accounts for, and disburses revenues from\noffshore and onshore mineral leases on Federal and Indian lands. MMS\xe2\x80\x99s Offshore Minerals\nManagement (OMM) program manages the Outer Continental Shelf mineral leases. These leases\nresult in more than $4 billion of royalties being collected annually. Also, OMM provides oversight\nto ensure safe and environmentally sound exploration and production of the Nation\xe2\x80\x99s mineral\nresources on the Outer Continental Shelf. To accomplish its mission and to automate business and\nregulatory functions, OMM designed, developed, and implemented the Technical Information\nManagement System (TIMS), an MMS mission-critical system and a comprehensive corporate\ndatabase.\n\nOBJECTIVE\n\nThe objective of the audit was to determine whether OMM had effective general and application\ncontrols over TIMS and whether TIMS was operated in compliance with applicable Federal laws and\nregulations. In addition, we performed this audit to support the Office of Inspector General\xe2\x80\x99s\nexamination of the financial statements of MMS by evaluating the reliability of the controls over\ncomputer-generated data that support the Royalty Management Program\xe2\x80\x99s portion of the financial\nstatements.\n\nRESULTS     IN BRIEF\n\nOverall, we concluded that OMM had established adequate general and application controls over\nTIMS. However, improvements are needed in four areas in OMM\xe2\x80\x99s general and application controls\nover TIMS. These areas are the security program, the continuity of operations plan to protect data\nin the event of a disaster or a system failure, controls over access to TIMS data, and software\ndevelopment and change management. Federal laws and regulations and Department of the Interior\nand MMS policies and procedures require that general and application controls be established and\nimplemented to protect information in computer systems. Weaknesses existed in the controls over\nTIMS because OMM management had not developed an adequate security program and had not\nensured that policies and procedures were followed. The lack of adequate controls increased the risk\n\x0cthat TIMS data could be accessed and modified or disclosed by unauthorized users, that TIMS\nsoftware and data could be stolen or destroyed, that TIMS functions and processes could not be\nrecovered in the event of a disaster or a system failure, and that TIMS could not perform as\nintended.\n\nRECOMMENDATIONS\n\nWe made 15 recommendations related to MMS\xe2\x80\x99s controls over TIMS. These recommendations\nrelated to improving (1) OMM\xe2\x80\x99s security program over TIMS, (2) TIMS\xe2\x80\x99 continuity of operations\nplan, (3) access controls to TIMS and its databases, and (4) the policies and procedures for making\nchanges to TIMS software and for testing the changes.\n\nAUDITEE COMMENTS            AND OIG EVALUATION\n\nMMS concurred with the report\xe2\x80\x99s 15 recommendations. Based on the response, we considered eight\nrecommendations resolved and implemented and seven recommendations resolved but not\nimplemented.\n\n\n\n\n                                                2\n\x0cI                                                                         A-IN-MMS-001-99-R\n\n\n                 United States Department of the Interior\n                               OFFICE OF INSPECTOR GENERAL\n                                        Washington,   D.C. 20240\n\n\n\n\n                                     AUDIT REPORT\n    Memorandum\n\n    To:        Director, Minerals Management Service\n\n    From:      Roger La\n               Acting Assistant Inspe    r General for Audits\n\n    Subject:   Audit Report on General and Application Controls Over the Technical\n               Information Management System, Offshore Minerals Management, Minerals\n               Management Service (No. 00-I-647)\n\n                                     INTRODUCTION\n    This report presents the results of our review of general and application controls over the\n    Minerals Management Service\xe2\x80\x99s (MMS) Technical Information Management System\n    (TIMS). The objective of the audit was to determine whether MMS had effective controls\n    over TIMS and whether TIMS was operated in compliance with applicable Federal laws and\n    regulations. In addition, we performed this audit to support the Office of Inspector General\xe2\x80\x99s\n    examination of the financial statements of MMS by evaluating the reliability of the controls\n    over computer-generated data that support the Royalty Management Program\xe2\x80\x99s portion of\n    the financial statements.\n\n    BACKGROUND\n\n    MMS manages the Nation\xe2\x80\x99s natural gas, oil, and other mineral resources on the Outer\n    Continental Shelf and collects, accounts for, and disburses revenues from offshore and\n    onshore mineral leases on Federal and Indian lands. In 1998, MMS collected $5.6 billion\n    from Federal and Indian mineral leasees, of which $4.3 billion was from Outer Continental\n    Shelf mineral leasees. MMS has two specialized operating programs, the Offshore Minerals\n    Management (OMM) program and the Royalty Management Program. OMM manages the\n    Outer Continental Shelf mineral leases and provides oversight to ensure the safe and\n\n\n                                                      3\n\x0cenvironmentally sound exploration and production of the Nation\xe2\x80\x99s mineral resources on the\nOuter Continental Shelf. OMM has its headquarters in Washington, D.C., with offices in\nHemdon, Virginia, and has regional offices in New Orleans, Louisiana; Anchorage, Alaska;\nand Camarillo, California. Also, the headquarters OMM Leasing Division has its Mapping\nand Boundary Branch, located in Denver, Colorado. The Royalty Management Program\nmanages the accounting for and the collection and disbursement of royalty, rent, and bonus\nrevenues generated from Federal and Indian mineral leases.\n\nTo accomplish its mission, OMM designed, developed, and implemented TIMS, an MMS\nmission-critical system and a comprehensive corporate database that replaced and upgraded\nall Federal information processing resources which supported the OMM program. TIMS was\ndeveloped to modernize and replace several critical offshore systems, including the Outer\nContinental Shelf Information System, the Offshore Inspection System, the Automated\nCartographic System, and the Geological and Geophysical Database. TIMS information is\nused, in part, to update the Royalty Management Program system with oil and gas well\nproduction data from offshore leases to assist in verifying the accuracy of royalties collected\nfrom the Outer Continental Shelf.\n\nTIMS is a computerized information system that automates all business and regulatory\nfunctions of OMM. TIMS is a three-tier\xe2\x80\x99 client/server platform with application servers\nlocated at all the OMM regional offices (three) and district offices (six) and database servers\nlocated at the regional offices. The Chief of the OMM Information Technology Division is\nthe owner of TIMS. The Division is responsible for developing and maintaining TIMS\xe2\x80\x99s\ndatabase structures, and regional and district offices are responsible for the data in the\ndatabases. TIMS employs the Oracle relational database management system and tools to\nmanage data and support OMM business functions. In addition, TIMS includes commercial\noff-the-shelf software for OMM geologic interpretative tools and mapping functions. TIMS\nis constructed of 41 business components\xe2\x80\x99 (the components are listed in Appendix 2) which\ninclude more than 800 modules. To operate, TIMS uses approximately 55 different types of\nhardware items, such as personal computers and network equipment, and 68 software items,\nsuch as Windows NT and UNIX operating systems, ArcView, Geoquest, and Microsoft\nOffice.\n\nSCOPE OF AUDIT\n\nWe reviewed OMM general and application controls over TIMS. Specifically, we reviewed\nthe following general controls: (1) software development and change management, (2) risk\nassessment, (3) security plans, (4) service continuity, (5) system software, and (6) access\ncontrols. For application controls, we reviewed input, processing, authorization, and output.\n\n\n\xe2\x80\x98A three-tier client/server environment is defined as one in which \xe2\x80\x9cthe user interface is stored in the client, the\nbulk of the business application logic is stored in one or more servers, and the data are stored in a database\nserver.\xe2\x80\x9d (The Computer Language Company, Inc., Cornouter Desktop Encvclonedia, 198 l- 1999)\n\n\xe2\x80\x98TIMS is divided into major groupings or components that correspond to the different activities overseen by\nOMM.\n\n                                                         4\n\x0cTo accomplish our objective, we interviewed OMM and contractor personnel, reviewed\napplication and systems documentation, observed and became familiar with system\noperations and data structures, analyzed access and security controls, and evaluated service\ncontinuity procedures and testing. The audit was conducted at the Information Technology\nDivision Office of OMM and the OMM Gulf of Mexico Regional Office in New Orleans and\nDivision headquarters and the Information Management Division in Hemdon. Although\nTIMS is installed at all of the regional offices, our review was limited to the Gulf of Mexico\nRegional Office because this regional office processes almost 90 percent of the data related\nto oil and gas production and Outer Continental Shelf royalties.\n\nOur audit was made in accordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued by the\nComptroller General of the United States. Accordingly, we included such tests of records\nand other auditing procedures that were considered necessary under the circumstances.\n\nAs part of our audit, we employed statistical test samples to determine the adequacy of TIMS\naccess controls and software development and change management procedures. Specifically,\nwe randomly selected 77 TIMS users from a list of 849 users who had access to TIMS. Also,\nwe randomly selected 132 change requests from a list of 1,157 change requests for the period\nof October 1998 through June 1999.\n\nDuring our audit, the Department of the Interior\xe2\x80\x99s Office of Information Resources\nManagement contracted to acquire professional services to support the Department with\ntesting, analysis, and vulnerability assessment of Departmentwide information technology\narchitecture. Specifically, the contractor was tasked with performing a comprehensive\nvulnerability analysis (using Internet Security Systems scanning software) of Departmental\nintemet protocol address assignments, which included OMM intemet protocol addresses.\nAs a result, we did not review the results of the analysis of OMM networks.\n\nPRIOR AUDIT COVERAGE\n\nDuring the past 5 years, neither the General Accounting Office nor the Office of Inspector\nGeneral has issued any reports related to OMM\xe2\x80\x99s general and application controls over\nTIMS.\n\n                             RESULTS          OF AUDIT\n\nWe concluded that overall, MMS\xe2\x80\x99s OMM had established adequate general and application\ncontrols over TIMS. However, we believe that the general controls of OMM need\nimprovements in four areas: security program; continuity of operations in the event of a\ndisaster or a system failure; controls over access to TIMS; and software development and\nchange management. Office of Management and Budget Circular A-l 30, \xe2\x80\x9cManagement of\nFederal Information Resources,\xe2\x80\x9d and National Institute of Standards and Technology\npublications and guidelines require agencies to establish and implement computer security\n\x0cand management and internal controls to improve the protection of sensitive3 information in\nthe computer systems of executive branch agencies. Additionally, the Congress enacted\nlaws, such as the Privacy Act of 1974 (5 U.S.C. 5 552a) and the Computer Security Act of\n 1987 (40 U.S.C. 5 759), to improve the security and privacy of sensitive information in\ncomputer systems by requiring executive branch agencies to ensure that the level of computer\nsecurity and controls over sensitive information is adequate. Further, the Department of the\nInterior and MMS have issued policies and procedures to implement general and application\ncontrols to protect sensitive data in automated information systems. Weaknesses existed in\nthe general controls over TIMS because OMM management had not developed an adequate\nsecurity program and had not ensured that policies and procedures were followed. The lack\nof adequate controls may increase the risk of (1) unauthorized access and modifications to\nand disclosure of sensitive TIMS data, (2) theft or destruction of OMM software and\nsensitive information, (3) loss of TIMS systems and functions in the event of a disaster or a\nsystem failure, and (4) TIMS not performing as intended.\n\nIn the four areas that needed improvements in the controls, we identified 8 weaknesses and\nmade 15 recommendations for improving the controls over TIMS. The weaknesses are\nsummarized in the paragraphs that follow, and details of the weaknesses and our respective\nrecommendations to correct these weaknesses are in Appendix 1.\n\nSecurity Program\n\nOMM management did not have a security plan for TIMS and did not ensure that computer\nsecurity awareness training was provided. As a result, there was an increased risk that\nsensitive data could be impaired or compromised and that data could be inadvertently\ndisclosed or destroyed or erroneously modified. We made three recommendations to correct\nthese weaknesses.\n\nService Continuity\n\nOMM\xe2\x80\x99s contingency planning, backup, and disaster recovery procedures did not provide\nreasonable assurance that the TIMS processing environment could be recovered in the event\nof a disaster or a system failure. Specifically, the Continuity of Operations Plan had not been\ntested, critical personnel had not been trained to effectively implement the Plan, a copy of\nthe Plan was not kept at the off-site storage facility, and TIMS data and applications were not\nroutinely transferred to the off-site storage facility. As a result, there was an increased risk\nthat the mission-critical TIMS could not be recovered in the event of a disaster or a system\nfailure. We made five recommendations to address these weaknesses.\n\n\n\n\n3\xe2\x80\x9dSensitive data\xe2\x80\x9d is defined in 40 U.S.C. $ 759 as \xe2\x80\x9cany information, the loss, misuse, or unauthorized access\nto or modification of which could adversely affect the national interest or the conduct of Federal programs, or\nthe privacy to which individuals are entitled under section 552a of Title 5, United States Code (the Privacy\nAct).\xe2\x80\x9d\n\n                                                       6\n\x0cAccess Controls\n\nOMM management did not limit the numbers of log-in attempts allowed for access to TIMS,\ndid not control password settings, did not remove in a timely manner access for employees\nwho terminated their employment, and did not control access to TIMS databases. As a\nresult, there was an increased risk that sensitive data maintained on TIMS were vulnerable\nto unauthorized access, manipulation, and disclosure. We made four recommendations to\naddress these weaknesses.\n\nSoftware Development and Change Management\n\nOMM management did not implement controls to ensure that TIMS application software\nchanges were authorized, approved, and tested before being moved into production. As a\nresult, there was an increased risk that TIMS applications may not perform as intended. We\nmade three recommendations to address these weaknesses.\n\nMMS Response and Office of Inspector General Reply\n\nIn the July 19,200O response (Appendix 3) to the draft report from the Director of MMS,\nMMS concurred with all of the 15 recommendations. Based on the response, we consider\nRecommendations C. 1, C.3, C.4, D. 1, D.2, E. 1, F.l, and G. 1 resolved and implemented and\nRecommendations A.l, B.l, B.2, C.2, C.5, G.2, and H.l resolved but not implemented.\nAccordingly, the unimplemented recommendations will be forwarded to the Assistant\nSecretary for Policy, Management and Budget for tracking of implementation.\n\nAlthough MMS concurred with Recommendation H. 1, it disagreed with the \xe2\x80\x9canalysis that\ndrew the auditors to the recommendation.\xe2\x80\x9d           MMS stated that although the TIMS\nMaintenance Methodology required test plans, the test plans were not required for \xe2\x80\x9croutine\nand/or minor changes,\xe2\x80\x9d such as reports, system administration functions, database triggers,\nsoftware packages, and menu changes. We believe that testing is a critical component of\nsoftware maintenance because testing ensures that applications meet user and management\nneeds, produce reliable data, and operate in accordance with laws, regulations, and\nmanagement policies and procedures. Test plans should define the expected output and\ninclude tests for valid, invalid, expected, and unexpected results. The TIMS Maintenance\nMethodology does not allow for exceptions from change management procedures such as\ntesting for system administration, database triggers, software packages, and menu changes.\nFurther, the TIMS Maintenance Methodology does not allow for exceptions to exclude the\nquality assurance group and user group from testing changes prior to the changes being\nmoved into production. The Methodology states that \xe2\x80\x9cevery TIMS work product must pass\nquality assurance tests before made available for testing by the Customer User Acceptance\nTeam.\xe2\x80\x9d\n\nSince the report\xe2\x80\x99s recommendations are considered resolved, no further response to the\nOffice of Inspector General is required (see Appendix 4).\n\n\n                                             7\n\x0cSection .5(a) of the Inspector General Act (5 U.S.C. app. 3), requires the Office of Inspector\nGeneral to list this report in its semiannual report to the Congress. In addition, the Office of\nInspector General provides audit reports to the Congress.\n\n\n\n\n                                               8\n\x0c                                                                              APPENDIX 1\n                                                                               Page 1 of11\n\n\n\nDETAILS      OF WEAKNESSES                  AND RECOMMENDATIONS\n\nSECURITY      PROGRAM\n\nA. Computer Security Plan\n\nCondition:   Offshore Minerals Management (OMM) had not developed a security plan\n             for the Technical Information Management System (TIMS), which has been\n             identified by the Minerals Management Service (MMS) as a sensitive and\n             mission-critical system.\n\nCriteria:    Security plans are required by 40 U.S.C. 0 759 and Appendix III, \xe2\x80\x9cSecurity\n             of Federal Automated Information Resources,\xe2\x80\x9d ofOffice ofManagement and\n             Budget Circular A-l 30, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d to\n             be developed for all sensitive computer systems. A computer security plan\n             is designed to assist agencies in addressing the protection of general support\n             systems and major applications that contain sensitive information to help\n             ensure the system\xe2\x80\x99s integrity, availability, and confidentiality. In addition,\n             National Institute of Standards and Technology\xe2\x80\x99s (NIST) Special Publication\n             800-l 8, \xe2\x80\x9cGuide for Developing Security Plans for Information Technology\n             Systems,\xe2\x80\x9d provides guidance on developing, implementing, and monitoring\n             security plans for automated information systems. Also, Appendix III of\n             Circular A- 130 requires that a summary of the security plan be incorporated\n             into the agency\xe2\x80\x99s Strategic Information Resources Management Plan.\n             Additionally, Appendix III of Circular A-l 30 states that the lack of a security\n             plan for a major application should be considered a deficiency pursuant to\n             Office ofManagement Budget Circular A-123, \xe2\x80\x9cManagement Accountability\n             and Control,\xe2\x80\x9d and the Federal Managers\xe2\x80\x99 Financial Integrity Act (3 1 U.S.C.\n             $ 1105,1113, and3512).\n\nCause:       OMM information technology officials did not ensure that a computer\n             security plan for TIMS was prepared in accordance with 40 U.S.C. 6 759,\n             Office of Management and Budget requirements, and NIST guidelines.\n             According to OMM officials, a draft TIMS Y2K (Year 2000) contingency\n             plan was prepared that addressed degradation or failure of activities and\n             remedies should any event threaten or disable the system. However, this plan\n             did not meet the requirements for a security plan because it did not include\n             the rules of the system, such as rules of behavior concerning use of, security\n             in, and acceptable level of risk for the system; training of all individuals on\n             their security responsibilities; personnel controls; incident response\n\n\n                                            9\n\x0c                                                                           APPENDIX 1\n                                                                            Page2ofll\n\nSECURITY         PROGRAM\n\n              capability; continuity of support; technical security; and identification of\n              connections to other systems.\n\nEffect:       Without this plan, OMM did not have adequate assurance that data in its\n              TIMS were adequately protected.\n\nRecommendation\n\nWe recommend that the Director of MMS ensure that a computer security plan for TIMS is\ndeveloped, implemented, and monitored in accordance with the United States Code, Office\nof Management and Budget Circular A-130, and NIST guidelines.\n\n\n\n\n                                           10\n\x0c                                                                                  APPENDIX 1\n                                                                                   Page 3 of 11\n\nSECURITY          PROGRAM\n\nB. Computer         Security Training\n\nCondition:       Mandatory computer security awareness training had not been provided to\n                 OMM employees and contractor personnel. Specifically, at least 220 Gulf of\n                 Mexico Regional Office and district personnel and Information Technology\n                 Division personnel had not received annual computer security awareness\n                 training since 1992.\n\nCriteria:        Mandatory periodic training in computer security awareness and accepted\n                 computer security practices is required by 40 U.S.C. 4 759 for employees\n                 who are involved in managing, using, or operating each Federal computer\n                 system within or under the supervision of that agency. In addition, the\n                 Department of the Interior\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security\n                 Handbook\xe2\x80\x9d requires that computer security training be provided on an\n                 ongoing basis and that refresher training be provided at least annually.\n\nCause:           OMM information technology officials had not established policies and\n                 procedures to ensure that annual computer security awareness training was\n                 completed in accordance with applicable computer security guidelines.\n\nEffect:          Without annual training in computer security awareness and accepted\n                 computer security practices of employees who are involved in managing,\n                 using, or operating sensitive OMM computer systems, including TIMS, there\n                 is an increased risk of unauthorized disclosure of sensitive and propriety data.\n\nRecommendations\n\nWe recommend that the Director of MMS:\n\n        1. Implement policies and procedures to ensure that OMM employees and contractor\npersonnel who are involved with sensitive component systems receive annual computer\nsecurity awareness training.\n\n          2. Ensure that training is documented in the employee human resource files.\n\n\n\n\n                                                11\n\x0c                                                                              APPENDIX 1\n                                                                               Page 4 of 11\n\nCONTINGENCY PLANNING, BACKUP, AND DISASTER RECOVERY\n\nC. Service Continuity\n\nCondition:   OMM did not have an effective means of recovering or continuing critical\n             TIMS functions and operations in the event of a system failure or a disaster.\n             Specifically, we found that:\n\n                - The Gulf of Mexico Region\xe2\x80\x99s April 1996 Continuity of Operations Plan\n             had not been tested to ensure that the planned procedures for recovering\n             TIMS and other business functions were feasible.\n\n                 - Although Gulf of Mexico regional management had developed a draft\n             plan, dated September 1999, neither the draft plan nor the April 1996 plan\n             included recovering critical TIMS development and maintenance fLmctions\n             of OMM\xe2\x80\x99s Information Technology Division.\n\n                 - Regional personnel responsible for continuing critical functions in the\n             event of a disaster or an emergency were not trained in their roles and\n             responsibilities described in the Continuity of Operations Plan.\n\n                 - A copy of the Plan was not available at the designated off-site storage\n             facility.\n\n                 - Neither regional nor Information Technology Division personnel\n             ensured that backup tapes of critical TIMS data and applications were\n             routinely transferred to the off-site storage facility.\n\nCriteria:    Appendix III of Circular A-130 requires agencies to establish controls to\n             safeguard all information processed, transmitted, or stored in Federal\n             automated information systems. Further, the Circular requires agencies to\n             establish a contingency plan and periodically test the plan for the capability\n             to perform the agency function supported by the application in the event of\n             failure of its automated support. In addition, NIST Special Publication\n             800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST Handbook,\xe2\x80\x9d\n             recognizes that the success of recovering all information systems operations\n             and data is largely dependent upon the adequacy of contingency planning,\n             including backup and recovery procedures and testing of the plans; requires\n             that personnel be trained in their contingency-related duties; and requires that\n             contingency plans be stored in a safe place. The Department of the Interior\xe2\x80\x99s\n             \xe2\x80\x9cAutomated Information Systems Security Handbook\xe2\x80\x9d and the MM\xe2\x80\x99SManual\n             mandate routine cyclical off-site storage for all automated information\n\n\n                                            12\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 5 of 11\n\nCONTINGENCY            PLANNING,         BACKUP,       AND DISASTER          RECOVERY\n\n                systems data and applications providing critical support to the organization\xe2\x80\x99s\n                mission.\n\nCause:         OMM information technology officials did not ensure that adequate service\n               continuity controls were in place for critical TIMS functions and operations\n               to continue without undue interruption if unexpected events occurred, such\n               as a system failure. In addition, OMM management did not ensure that\n               critical and sensitive TIMS application components and data were protected\n               by being stored off-site on a routine cyclical basis.\n\nEffect:        In the event of a disaster or a system failure, OMM was at risk of not being\n               sufficiently prepared to recover critical TIMS functions and continue critical\n               operations.\n\nRecommendations\n\nWe recommend that the Director of MMS:\n\n         1. Develop a Continuity of Operations Plan for the Offshore Minerals Management\nInformation Technology Division, which includes procedures for recovery of the Division\xe2\x80\x99s\ncritical TIMS functions.\n\n         2. Periodically test the Continuity of Operations Plan and update the Plan based on\nthe test results.\n\n         3. Ensure that copies of the Continuity of Operations Plan are maintained at the off-\nsite facility.\n\n        4. Ensure that backup copies of TIMS applications, components, and data are stored\nat the off-site storage facility on a routine cyclical basis.\n\n         5. Provide training to OMM personnel who are responsible for the recovery of\ncritical TIMS business functions and operations about their roles and responsibilities related\nto the Continuity of Operations Plan.\n\n\n\n\n                                              13\n\x0c                                                                              APPENDIX 1\n                                                                               Page 6 of 11\n\nSYSTEM ACCESS CONTROLS\n\nD. User Access\n\nCondition:     OMM did not adequately control access to TIMS databases. Specifically,\n               employees who were no longer employed by MMS still had access to TIMS.\n               For example, we found that 28 percent of employees who had terminated\n               their employment still had access to the TIMS Gulf of Mexico regional\n               production database; 6 percent of departed employees, including the prior\n               Database Administrator, had access to the TIMS development database; and\n                13 percent of departed employees had access to the TIMS Customer User\n               Acceptance Team, the testing database. In addition, 798 users had access to\n               the Customer User Acceptance Team\xe2\x80\x99s database when there were only\n               79 team members who were authorized to access the database.\n\nCriteria:      NIST\xe2\x80\x99s Special Publication 800-14, \xe2\x80\x9cGenerally Accepted Principles and\n               Practices for Securing Information Technology Systems,\xe2\x80\x9d states:\n\n                  It is necessary to periodically review user account management on a\n                  system. Reviews should examine the levels of access each individual\n                  has, conformity with the concept of least privilege, whether all\n                  accounts are still active, [and] whether management authorizations\n                  are up-to-date.\n\nCause:        OMM Gulf of Mexico regional and Information Technology Division\n              officials did not ensure that controls were in place to delete employee access\n              to TIMS when employees departed the organization.\n\nEffect:       As a result, the risk was significantly increased that unauthorized users could\n              gain access to sensitive and mission-critical TIMS data and applications.\n\nRecommendations\n\nWe recommend that the Director of MMS:\n\n        1. Implement controls to ensure that access to TIMS for employees who have\nterminated employment is removed in a timely manner.\n\n        2. Ensure that access to the Customer User Acceptance Team database is limited to\nauthorized users.\n\n\n\n\n                                            14\n\x0c                                                                             APPENDIX 1\n                                                                              Page 7 of 11\n\nSYSTEM ACCESS CONTROLS\n\nE. Number of Log-In Attempts\n\nCondition:     OMM\xe2\x80\x99s number of unsuccessful log-in attempts to access TIMS exceeded the\n               standard established by the Department of the Interior. Specifically, TIMS\n               users were allowed six unsuccessful log-in attempts before the user was\n               locked out of the system.\n\nCriteria:      The Department\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security Handbook\xe2\x80\x9d\n               specifies three as the number of unsuccessful log-in attempts.\n\nCause:         OMM information technology officials did not ensure that the number of\n               allowed unsuccessful log-in attempts was established in accordance with\n               Departmental standards. OMM information officials stated that log-in\n               attempt policies were set using the default settings recommended by the\n               software vendor and the defaults set by the Royalty Management Program.\n               However, security management officials of the Royalty Management\n               Program had requested and were granted a waiver to deviate from the\n               Departmental standard by the Department\xe2\x80\x99s Office of Information Resources\n               Management.\n\nEffect:        As a result, the increased number of invalid attempts reduced the\n               effectiveness of the password as an access control. In addition, the risk was\n               increased for unauthorized access to sensitive TIMS data.\n\nRecommendation\n\nWe recommend that the Director of MMS evaluate the risk involved in deviating from the\nDepartment of the Interior standard for the number of unsuccessful log-in attempts. If the\nDirector determines that the number of invalid attempts should remain at six, OMM\nmanagement should request a waiver from the Department to deviate from the standard of\nthree attempts.\n\n\n\n\n                                             15\n\x0c                                                                            APPENDIX 1\n                                                                             PageSof\n\nSYSTEM       ACCESS     CONTROLS\n\nF. Password     Management\n\nCondition:    The password controls established by OMM in the Windows NT operating\n              system allowed all system users to retain passwords indefinitely, even though\n              the system required users to change their passwords after 90 days. The\n              controls did not require that a password history be maintained, and the\n              controls allowed users to change their passwords consecutively until the\n              original password could be reused.\n\nCriteria:     The security of a password system is dependent upon keeping passwords\n              secret. NIST Federal Information Processing Standards Publication 112,\n              \xe2\x80\x9cPassword Usage,\xe2\x80\x9d states that passwords \xe2\x80\x9cshould be changed periodically\n              with a maximum interval selected by the Security Officer.\xe2\x80\x9d The Publication\n              further states that the system \xe2\x80\x9cshould check that the new password is not the\n              same as the previous password\xe2\x80\x9d or any number of previous passwords and\n              maintain a history of the passwords of each user.\n\nCause:        OMM information technology officials did not change Windows NT\n              password default settings to ensure that passwords were not reused or cycled\n              through quickly.\n\nEffect:       As a result, the risk was increased that a password could be discovered and\n              used to obtain improper access to TIMS.\n                                                                                              ,\n\nRecommendation\n\nWe recommend that the Director of MMS implement controls to ensure that system software\nsettings are established to prevent users from reusing passwords or cycling through\npasswords quickly.\n\n\n\n\n                                           16\n\x0c                                                                                             APPENDIX 1\n                                                                                              Page 9 of 11\n\nSOFTWARE             DEVELOPMENT                  AND CHANGE MANAGEMENT\n\nG. Software Change Request and Approval Process\n\nCondition:        At the Gulf of Mexico Region, formal software change control procedures\n                  had been developed and implemented for the ongoing support and\n                  maintenance of TIMS. However, we found that OMM Information\n                  Technology Division personnel did not ensure that change requests were\n                  received from authorized users; that the changes were coordinated among all\n                  the OMM regions; and that all changes were reviewed, approved, and\n                  prioritized by the OMM Maintenance Change Board. During October 1998\n                  through June 1999, there were 1,157 change requests for TIMS, of which we\n                  statistically selected 132 changes\xe2\x80\x99 to determine the adequacy of the change\n                  management process. We found that of the 132 sampled change requests,\n                  24 change requests (19 percent) were not submitted by an authorized user\n                  representative and 130 change requests (98 percent) were not coordinated\n                  with user representatives in the other three OMM regions. We also found no\n                  documentation to support that the changes had been reviewed and prioritized\n                  by the Maintenance Change Board.\n\nCriteria:         NIST Federal Information Processing Standards Publication 106, \xe2\x80\x9cGuideline\n                  on Software Maintenance,\xe2\x80\x9d prescribes guidelines for maintaining software.\n                  According to the Publication, the primary purpose of change control (or\n                  change management) is to ensure smooth operational continuity and orderly\n                  evolution of the system. Effective change controls are needed to ensure that\n                  all software installations are performed in a structured and controlled manner\n                  and provide management with a chronological history of all software\n                  modifications.     Key change management control points ensure that all\n                  changes to hardware and software are formally requested, approved, and\n                  documented.     In addition, the Publication states that \xe2\x80\x9cthere should be a\n                  centralized approval point for all software maintenance projects.\xe2\x80\x9d Also, the\n                  \xe2\x80\x9cTIMS Methodology Handbook\xe2\x80\x9d states that Customer User Acceptance Team\n                  \xe2\x80\x9cleaders in the regions [should] coordinate program changes and issues\n                  among themselves before submitting a written request to the Information\n                  Technology Division.\xe2\x80\x9d In addition, the Handbook requires the Maintenance\n                  Change Board to review and prioritize software change requests.\n\nCause:            Division personnel did not enforce OMM policies and procedures that\n                  required change requests to be accepted from Customer User Acceptance\n\n\n\n\xe2\x80\x98Although we selected 132 change requests for review, we did not review all of the requestsfor specific\nattributes because some ofthe requests selected were canceled or were not completed at the time of our review.\n\n                                                      17\n\x0c                                                                               APPENDIX 1\n                                                                               Page 10 of 11\n\nSOFTWARE          DEVELOPMENT             AND CHANGE            MANAGEMENT\n\n               Team leaders only, to be coordinated among the OMM regions, and to be\n               reviewed and prioritized.\n\nEffect:        As a result, the risk is increased that operational problems will be introduced\n               into the TIMS production environment. Because change requests result in\n               changes to the TIMS production environment and implemented in all OMM\n               regions, the lack of controlling and coordinating change requests among the\n               Customer User Acceptance Team leaders could result in changes being made\n               for one region that affect another region\xe2\x80\x99s ability to access and process\n               transactions efftciently and effectively. Further, the resultant errors and\n               production problems could be time-consuming and difficult to diagnose and\n               correct. Additionally, without reviews and prioritization of change requests,\n               there is little assurance that the most critical changes will be implemented\n               first.\n\nRecommendations\n\nWe recommend that the Director of MMS:\n\n        1. Enforce TIMS change control policies and procedures to ensure that all\nmodifications are properly coordinated, authorized, approved, reviewed, and prioritized.\n\n           Evaluate the current policy for submitting changes to TIMS and determine\n          2.\nwhether the number of authorized persons who submit software changes can be reduced.\n\n\n\n\n                                             18\n\x0c                                                                               APPENDIX 1\n                                                                               Page11 of11\n\nSOFTWARE DEVELOPMENT AND CHANGE MANAGEMENT\nH. Testing\n\nCondition:     Testing and documentation of software changes to TIMS were not adequate.\n               Specifically, we found that, ofthel08 changes tested, 62 changes (57 percent)\n               did not have test plans. In addition, 24 (24 percent) of 100 changes were not\n               tested by either the quality assurance group or the user group (see footnote 1\n               in Finding G).\n\nCriteria:      Publication 106 states that testing standards and procedures \xe2\x80\x9cshould define\n               the degree and depth of testing to be performed and the disposition of test\n               materials upon successful completion of the testing.\xe2\x80\x9d Also, the Publication\n               states that testing is a critical component of so&are maintenance and that\n               test plans should define the expected output of a test and test for valid,\n               invalid, expected, and unexpected cases.           In addition, the \xe2\x80\x9cTIMS\n               Methodology Handbook\xe2\x80\x9d states that test plans are to be developed and kept\n               current for each of the TIMS components. Test plans also became required\n               documentation in 1998.\n\nCause:         Although OMM had policies and procedures for software development and\n               change management, OMM management did not ensure that the software\n               change policies and procedures were complied with.\n\nEffect:        As a result, the risk was increased that processing irregularities or malicious\n               codes could be introduced, sensitive data could lack integrity, and TIMS\n               applications may not function to meet user requirements.\n\nRecommendation\n\nWe recommend that the Director of MMS enforce its policies and procedures for developing\ntest plans, testing software changes, and documenting test results for all changes made to\nTIMS.\n\n\n\n\n                                             19\n\x0c                                              APPENDIX 2\n\n                  COMPONENTS OF TECHNICAL\n              INFORMATION MANAGEMENT SYSTEM\n\nAdjudication Tracking System (ATS)\nBlock and Boundary\nSupplemental Bonding\nCerts\nCivil Penalty\nCompany and Bonding\nElement Data Dictionary\nEnvironmental: Coris\nEnvironmental: Physical\nEnvironmental: Social\nEvents\nForm Navigation\nGeologic\nInspections\nLease Administration\nLease Status\nLease Suspensions\nMeters\nOil Spill Financial Responsibility\nPerformance review\nPipelines\nPlans\nPlatforms\nPost Sale\nPresale\nProduction\nPublic Information\nRate Control\nReserves\nRigs\nRoyalty Relief\nSale\n Sampling\n Security\n Seismic\n TIMS Methodology\n TIMS Shared\n TIMS Support library\n Tract Evaluation\n Units\n Wells\n\n                                     20\n\x0c                                                                                  Lx*   I   LI.\xe2\x80\x9d    A\xe2\x80\x98.   2\n\n\n\n                                                                                  Page             1 of       8\n\n\n                   United States Department of the Interior\n                              MINERALS MANAGEMENT SERVICE\n                                      wuhinpn. Lx 20240\n\n\n\n\n                                                 JUL 19 X00\n\n\n\nMemorandum\n\nTo:            Assistant Inspector General for Audits\n\nThrOUglX       Sylvia V. Baca\n           h   Assistant Secretary, Land and Minerals Management\n\n               Walt Rosenbusch 7 G *k Y\n               Director, Minerals Management\n\nSubject:       Office of Inspector General Draft Audit Report, \xe2\x80\x9cGeneral and Application\n               Controls Over the Technicai Information Management System, Offshore\n               Minerals Management, Minerals Management Service\xe2\x80\x9d [A-IN-MMS-OOl-\n               99-R]\n\nThank you for the opportunity to respond to the draft audit report on our Technical\nInformation Management System. We are providing to you our general comments on the\naudit findings and specific ones on the recommendations. We agree with all 15\nrecommendations and are in the process of implementing them.\n\nPlease contact Bettine Montgomery at (202) 208-3976 if you have any iiuther questions.\n\n\n\n\nAttachment\n\n\n\n\n                                            21\n\x0c                                                                                        APPENDIX 3\n                                                                                        Page 2 of 8\n\n\n\n                  Minerals Management Service Response to Draft Audit Report\n                          \xe2\x80\x9cGeneral and Application Controls System-\n\n Audit Agency:         Office of Inspector General\n\n Report Number:        A-IN-MMS-00 I -99-R (May 2000)\n\n GENERQL COMMENTS\n\n We appreciate the opportunity to review and comment on the Office of Inspector General\xe2\x80\x99s draft\n audit report referenced here. Overall, we believe this was a fair evaluation of the Technical\nInformation Management System in our New Orleans Office. We concur with all the\nrecommendations provided in the report. We will respond to each of the eight weaknesses\nidentified by providing (1) how we have already addressed improving the controls over TIMS,\n(2) how we plan to address improving the controls that are not currently in place, or (3)\ninformation in support of the controls we have in place, and therefore challenge the findings of\nthe OJG.\n\nCOMMENTS ON WEAKNESSES A.ND RECOMMENDATIONS\n\nA. Computer Security Plan: Mh4S had not developed a security plan for TIMS, which has\n   been identified by MMS as a sensitive and mission critical system.\n\n   Recommendation Al. We recommend that the Director of MMS ensure that a computer\n   security plan for TIMS is developed, implemented, and monitored in accordance with the\n   United States Code, Office of Management and Budget Circular A-130, and National\n   Institute of Standards and Technology guidelines.\n\n   Response: AGREE - MMS has identified TIMS as a sensitive and mission critical system.\n   Because of this designation, the Offshore Minerals Management Program had a draft security\n   plan that was provided to the OIG Auditor. This plan was in addition to the TIMS Y2K\n   documentaddressed in the Report. We agree that our plan did not meet the statutory\n   requirements for a security plan. During the audit, OMM began the development of a plan to\n   meet the requirements addressed in OMB Circular A-130, Appendix III, and NIST Special\n   Publication 800- 18.\n\n   Tbe responsible official is the Chief, Jnformation Technology Division\n\n   Target Date: We plan to have a draft document prepared for review by the end of October\n   2000 and a final computer security plan completed by no later than March 2001. By the\n   time the sectily plan for TIMS is completed, all OMM users will have been trained on their\n   security responsibilities in the use of the system.\n\nB. Computer Security Training: Mandatory computer security awareness training had not\n   been provided to OMM employees and contractor personnel.\n\x0c                                                                                        Page   3   of 8\n                                                                                                   2\n\n\n\n     Recommendation     Bl. Implement policies and procedures to ensure that OMM employees\n     and contractor personnel who are involved with sensitive component systems receive annual\n     computer security awareness training.\n\n     Response: AGREE - OMM has not held periodic training as required by the Computer\n     Security Act of 1987 (P.L. 100-235) for \xe2\x80\x9cail employees [and contractors] who are involved\n     with the management, use, or operation of each Federal computer system within or under the\n     supervision of that agency.\xe2\x80\x9d We are in the process of developing and implementing policies\n     and procedures to ensure that employees and contractor personnel receive periodic computer\n     security awareness training. Nowhere in the laws and regulations did we find that the\n    training is mandatory on an annual basis. OMM will provide security awareness training for\n    new employees and contractors within 60 days of working on the OMM systems. All new\n    employees and contractors must complete a Computer Services Access Request form prior to\n    receiving an account on the MMS computer system. This request form includes five securitj\n    statements that require the user\xe2\x80\x99s signature before the account is assigned.\n\n    OMM has appointed a new securityofficer and recently hired a security specialist to develop,\n    implement, and monitor security policy. These individuals also are charged with the\n    development and implementation of a computer security awareness training program for\n    users, systems administrators, and management within OMM. All OMM employees and\n    contractors will participate in a security awareness-training program before the end of\n    Calendar Year 2000. All employees will have, at a minimum, computer awareness training\n    every even numbered calendar year. Periodic security alerts will be sent to all employees on\n    an as needed basis, or as conditions warrant an update.\n\n    Recommendation    B2. Ensure that training is documented in the employee human resources\n    files.\n\n   Response: AGREE - OMM will ensure that the computer security awareness training is\n   documented in the employee\xe2\x80\x99s human resources file.\n\n   The responsible offkial is the Deputy Associate Director for Offshore Minerals\n   Management.\n\n   Target date: we will train all OMM employees and contractors in computer security\n   awareness by December 2000.\n\nC. Service Continuity: OMM did not have an effective means of recovering or continuing\n  critical TIMS functions and operations in the event of a system failure or a disaster. The\n  Gulf of Mexico Region\xe2\x80\x99s April 1996 Continuity of Operations Plan has not been tested. The\n  Plan did not include recovering critical TIMS development and maintenance functions. The\n  Regional personnel responsible for the Plan had not been trained in their roles and\n  responsibilities. The Plan was not available at the designated offsite storage facility. The\n  backup tapes of critica TIMS data and applications were not routinely transferred to the off-\n  site storage facility.\n\n\n\n\n                                                 23\n\x0c                                                                                           Page 4 of   8\n                                                                                                3\n\n\n\n     Recommendation Cl. Develop a Continuity of Operations Plan for the Offshore Minerals\n     Management Information Technology Division, which includes procedures for recovery of\n     the Division\xe2\x80\x99s critical TIMS functions.\n\n     Response: L&Z&EE      - Since the audit was conducted, OMM has reorganized various\n    functions within the New Orleans Office. We have moved all TIMS server hardware,\n    development, and Gulf of Mexico Region production under one management structure. A\n    new Continuity of Operations Plan has been finalized for the New Orleans computer center\n    that includes all hardware operations at that location. The Plan also includes procedures for\n    the recovery of critical TIMS functions.\n\n    Recommendation C2. Periodically test the Continuity of Operations Plan and update the\n    Plan based on the test results.\n\n    Response: &&JZ - We plan to test the New Orleans Continuity of Operations Plan prior\n    to the end of Calendar Year 2000 and on a regular basis in the future.\n\n    Recommendation C3. Ensure that copies of the Continuity of Operations Plan are\n    maintained at the offsite facility.\n\n    Response: &%EE - An updated copy of the Continuity of Operations Plan can be found in\n    the Headquarters office of the Information Technology Division and also at a new offsite\n    storage facility in the New Orleans area.\n\n    Recommendation C4. Ensure that backup copies of TIMS applications, components, and\n    data are stored at the offsite storage facility on a routine cyclical basis.\n\n   Response: AGREZ - We have established and implemented new backup procedures. We\n   also store backup copies of the TIMS applications, components, and data at the new offsite\n   storage facility in the New Orleans area. These items are rotated on a routine basis as\n   defined in the Continuity of Operations Plan. All boxes are clearly labeled for quick\n   recovery.\n\n   Recommendation CS. Provide training to OMM personnel who are responsible for the\n   recovery of critical TIMS business fimctions and operations about their roles and\n   responsibilities related to the Continuity of Operations Plan.\n\n   Response: AGREE - We will train OMM personnel concerning their roles and\n   responsibilities for the recovery of critical TIMS business fimctions and operations.\n\n   The responsible official is the Regional Director, Gulf of Mexico Region.\n\n   Target date: Test New Orleans Continuity of Operations Plan by December 2000.\n\nD. User Access: OMM did not adequately control access to the TIMS databases. Specifically,\n   employees who were no longer employed by MMS still had access to the TUIS.\n\n\n\n\n                                                 24\n\x0c         Recommendation     Dl. implement controls to ensure that access to TIMS for employees\n         who have terminated employment is removed in a timely manner.\n\n         Response: AGlU$ -When an employee leaves the Bureau, a procedure is in place to\n         terminate all access to the MMS and TIMS systems.\n\n         Recommendation       D2. Ensure that access to the Customer User Acceptance Team database\n         is limited to authorized users.\n\n        Response: ,AGREE:      -We have implemented new procedures to ensure that access is\n        available only to those who have a need to know the TIMS information. Procedures have\n        also been put in place to provide access to only those who have completed a user access\n        form. The Office of Responsibility must also grant permission prior to the user having\n        access to the TIMS data. We have established a database to track user access to the TIMS\n        system. The same procedures will be followed for all employees requiring access to the\n        Customer User Acceptance Team database.\n\n        The responsible official is the Deputy Associate Director, Offshore Minerals\n        Management.\n\n        Target date: Task Completed.\n\n    E. Number of Log-In Attempts: OMM\xe2\x80\x99s number of unsuccessful log-in attempts to access\n       TIMS exceeded the standard established by the Department of the Interior. Specifically,\n       TIMS users were allowed six unsuccessful log-in attempts before the user was locked out of\n       the system.\n\n        Recommendation El. MMS should evaluate the risk involved in deviating from the\n        Department of the Interior standard for the number of unsuccessful log-in attempts. If the\n        Director determines that the number of invalid attempts should remain at six, OMM\n        management should request a waiver from the Department to deviate from the standard of\n        three attempts.\n\ne       Response: AGREE - The number of unsuccessful log-in attempts has been established at\n        three unsuccessful log-in attempts before the user is locked out of the system.\n\n       The responsible official is the Deputy Associate Director, Offshore Minerals\n       Management.\n\n       Target Date: Task Completed.\n\n    F. Password Management: The password controls established by OMM in the Windows NT\n       operating system allows all system users to retain passwords indefinitely, even though the\n       system required users to change their passwords after 90 days. The controls did not require\n       that a password history be maintained, and the controls allowed users to change their\n       passwords consecutively until the original password could be reused.\n\n\n\n\n                                                    25\n\x0c                                                                                         Page     6   of a\n                                                                                                  5\n\n\n\n    Recommendation        Fl, MMS should implement controls to ensure that system software\n    settings are established to prevent users from reusing passwords or cycling through\n    passwords quickly.\n\n    Response: AGREE - All NT servers that are supported by OMM and MMS have the\n    password setting to prevent the reuse or quick recycling of passwords. These passwords\n    must be changed every 90 days. The Council of Information Management Officials\n    established this policy on behalf of the Bureau.\n\n   The responsible   officials are members of the Council of Information    Management\n   Officials.\n\n   Target Date: Task Completed.\n\nG. Software Change Request and Approval Process: At the Gulf of Mexico Region, formal\n   software change control procedures had been developed and implemented for the ongoing\n   support and maintenance of TIh4S. However, we found that OMM Information Technology\n   Division personnel did not ensure that change requests were received from authorized users;\n   that the changes were coordinated among all the OMM regions; and that all changes were\n   reviewed, approved, and prioritized by the OMM Maintenance Change Board. We also\n   found no documentation to support that the changes had been reviewed and prioritized by the\n   Maintenance Change Board.\n\n   Recommendation Gl. Enforce TIMS change control policies and procedures to ensure that\n   all modifications are properly coordinated, authorized, approved, reviewed, and prioritized.\n\n   Response: &&l%: - The Information Technology Division has not been in the position to\n  reject the TIMS maintenance and/or enhancement change requests submitted by the program\n  office. In the early development of TIMS, OMM established the Component User\n  Acceptance Team leader concept for each major subject area of TIMS to be the focal point\n  for ongoing program changes. The Teams are responsible for the program view and                     -\n  coordination of their respective components. The Information Technology Division\n  implemented the change requests as submitted.\n\n   To deal with the large number of change requests, the TIMS Project Office established a\n  Change Control Group (called Maintenance Change Board in the Report). The Information\n  Technology analyst who knew the design and was responsible for the maintenance of the\n  TIMS components was a member of this Group. The TIMS Maintenance Methodology\n  states that all requests will be reviewed and prioritized, and deadlines will be set for\n  implementation. All change requests are entered into the tracking system called Defect\n  Control System. The Change Control Group reviewed all outstanding work requests in the\n  Defect Control System and made assignments to the staff, weekly. The tracking of the\n  request in the Defect Control System was the documentation.\n\n The OMM Information Technology Division staff did not track nor collect information in\n reference to the Component User Acceptance Team coordinating change requests with peers\n in other regions. That is the responsibility of the Team leader. Upon completion of a work\n\x0c                                                                                            Page      7 of   8\n\n                                                                                                       6\n\n\n\n     request of the Information Technology Division staff, all Component User Acceptance\n     Teams for that component were notified by the Information Technology Division that the\n     work request was completed. The module was then ready for testing prior to final\n     deployment to all OMM sites.\n\n     In October 1999, the Information Management Committee determined that it needed to better\n    manage the change control policies and procedures. The Committee authorized the creation\n    of a new TIMS Change Control Board. The Board is comprised of representatives from the\n    OMM program offices and Chaired by the Deputy Regional Director of the Gulf of Mexico\n    Region. The purpose of the Change Control Board is to review, monitor, evaluate, approve/\n    disapprove, and prioritize all enhancement and maintenance requests (submitted by the TIMS\n    users) for current TJMS components. The Board will also review usage of the TIMS forms\n    and reports and eliminate unused or underutilized and non-critical forms and reports,\n\n    With the development of this Board, all programmatic changes, corrections, amendments,\n    reforms, improvements, enhancements, or upgrades made to the TIMS components are\n    reviewed, approved/disapproved, and prioritized. This review also entails an evaluation of\n    the potential costs and benefits of proposed changes.\n\n    Recommendation G2. Evaluate the current policy for submitting changes to TIMS and\n    determine whether the number of authorized persons who submit software changes can be\n    reduced.\n\n    Response: ACRE& - The Change Control Board is not only responsible for enforcing the\n   change control policies and procedures, but also controls the number of changes that can be\n   made to the system. The Information Technology Division is in the final stage of\n   implementing a replacement for the work request tracking system known as Defect Control\n   System. The new software system is a commercial off-the-shelf solution called Visual\n   Interceptor. Interceptor is web based and will only allow authorized Component User\n   Acceptance Teams to forward approved work requests to the Change Control Board for final\n   review and prioritization. This new web-based system will be in place by the end of calendar\n   year 2000.\n\n   The responsible official is the Deputy Associate Director for Offshore Minerals\n   Management.\n\n   Target Date: Policy to limit number of persons submitting changes - Completed.\n                Implementation of request tracking by December 2000.\n\nH. Testing: Testing and documentation of software changes to TIMS were not adequate.\n   Specifically, we found that, of the 108 changes tested, 62 changes (57 percent) did not have\n   test plans. In addition, either the quality assurance group or the user group did not test 24 of\n   100 (24 percent) changes.\n\n\n   Recommendation Hl. MMS should enforce its policies and procedures for developing test\n   plans, testing software changes, and documenting test results for all changes made to TIMS.\n\n\n\n\n                                                 27\n\x0c                                                                                          --- - -_.- -__ _\n                                                                                          Page 8 of          8\n                                                                                                    7\n\n\n\n\n  Response: AGREE - We agree with the recommendation made in the report that OMM\n  should enforce the TIMS Maintenance Methodology policies and procedures related to\n  testing and its documentation. We do not agree with the analysis that drew the auditors to\n  their recommendations. Based on our analysis of the full 132 sample set, our findings are\n  different from the auditor. Specifically, of the 62 changes (57 percent) that did not have\n  individual test plans, OMM determined 59 changes to be exceptions that did not require test\n plans. Although the TIMS Maintenance Methodology requires test plans, there are certain\n changes that are considered routine and/or minor and, therefore, would not require individual\n test plans. These exceptions include reports (41); and system administration functions,\n database triggers, packages, and menu change requests (18). Therefore, OMM found that\n only 3 of the 62 changes should have had test plans based on the TIMS Maintenance\n Methodology. Reports are covered by a generic test plan since they are fairly simple and do\n not require individual test plans.\n\nIn addition, we concur that the quality assurance or the user group did not test 24 of 100\nchanges. We determined that there were 20 exceptions to these changes. These exceptions\nincluded data dictionary, domain value, or menu changes. The Database Administrator\nmakes these changes and, upon completion, the Component User Acceptance Team members\nor an analyst tests the change. We conclude that there were only four changes that were not\ntested before they were put on the production machine. Therefore, the quality assurance\ngroup or the user group did not test only 4 percent of the changes.\n\nThe Information Technology Division is converting to a new change control tracking system,\ncalled Visual Interceptor, that will better serve our customers with online web access to the\nstatus of all change requests. We will properly identify all stages of the life cycle of a change\nrequest. This new system should be fully operational by the end of the calendar year 2000.\nA change request can be submitted for many Information Technology functions, not just a\nchange to a TIMS program.\n\n We recognize the need for test plans and for adequate testing of the changes, and we plan to\ncontinue this process. We also have tightened up and enforced the policies and procedures\nwe have in place. There are numerous exceptions and alternative test procedures that\naccompany the change management. These exceptions need to be further identified in our\nTIMS Maintenance Methodology. We will continue our review of existing methodology to\nexpand testing and acceptance criteria to improve the process. Documentation will occur\nthrough the implementation of the new change control tracking system.\n\nThe responsible official is the Deputy Associate Director for Offshore Minerals\nManagement.\n\nTarget Date: Enforcement of required test plans and testing - Completed.\n             Implementation of request tracking by December 2000.\n\x0c                                                                     APPENDIX 4\n\n         STATUS OF AUDIT REPORT RECOMMENDATIONS\n\nFinding/Recommendation\n          Reference                   Status             Actions Required\nA.l, B.l, B.2, C.2, C.5, G.2,   Resolved; not   No further response to the Office\nand H.l                         implemented.    of Inspector General is required.\n                                                The recommendations will be\n                                                forwarded to the Assistant\n                                                Secretary for Policy, Management\n                                                and Budget for tracking of\n                                                implementation.\n\nC.l, C.3,C.4, D.1, D.2,         Implemented.    No further response is required.\nE.l, F-1, and G.l\n\n\n\n\n                                           29\n\x0c                  ILLEGAL OR WASTEFUL ACTIVITIES\n                       SHOULD BE REPORTED TO\n                 THE OFFICE OF INSPECTOR GENERAL\n\n\n                     Internet Complaint        Form Address\n\n\n                   http://www.oig.doi.gov/hotline_form.html\n\n\n\n                   Within the Continental         United States\n\nU.S. Department of the Interior                        Our 24-hour\nOffice of Inspector General                            Telephone HOTLINE\n1849 C Street, N.W.                                    l-800-424-508 1 or\nMail Stop 5341 - MIB                                   (202) 208-5300\nWashington, D.C. 20240-0001\n                                                       TDD for hearing impaired\n                                                       (202) 208-2420\n\n\n\n                  Outside the Continental         United States\n\n                                    Caribbean Region\n\nU.S. Department of the Interior                        (703) 235-9221\nOffice of Inspector General\nEastern Division - Investigations\n4040 Fairfax Drive\nSuite 303\nArlington, Virginia 22203\n\n                                     Pacific Region\n\nU.S. Department of the Interior                        (671) 647-6060\nOffice of Inspector General\nGuam Field Pacific Office\n4 15 Chalan San Antonio\nBaltej Pavilion, Suite 306\nAgana, Guam 96911\n\x0cU.S. Department of the Interior\nOffice of Inspector General\n1849 C Street, NW\nMail Stop 5341- MIB\nWashington, D.C. 20240-000 1\n\nToll Free Number\n                      1\n\n      l-800-424-508   \xe2\x80\x981\n\n\nCommercial Numbers\n    (202) 208-5300\n    TDD (202) 208-2420\n\x0c'